White Paper: HIPAA Sample Client Case Study

HIPAA Sample Client Case Study

White Paper

MedAbiliti Software Incorporated

The Challenge

You chose a profession in the health care industry to serve people. You have spent countless hours and vast amounts of effort honing your skills and securing your place in the market. You continue to provide a valued service despite the obstacles set by seemingly uncontrollable costs within the health care industry. And now, the federal government has commissioned various organizations to standardize your way of doing business. How are you supposed to meet this challenge?

A common misconception is that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) complicates the processes associated with providing quality health care. To the contrary, HIPAA is a revolutionary way of doing business in the health care industry, one that promises to curtail health care costs to providers and payers, one that enforces patientsÕ rights to manage their health information, and one that establishes standards to secure information from misuse.

Still most health care providers fear the changes that HIPAA will bring. At the heart of this trepidation is a lack of education regarding HIPAA, insufficient technical knowledge to make required business changes, and inadequate guidance. MedAbiliti analysts are trained experts who can walk your organization through the processes needed to meet the HIPAA challenge.

MedAbiliti Software, Inc.

Company Description

Medabiliti Software, Inc., designs, develops, and deploys software for the health care industry. MedAbiliti's approach to development is one that applies international quality assurance methods to application access, data analysis, and process efficiency. MedAbiliti's commitment to structured software methodology, software engineering practices, quality standards for data deployment/access, confidentiality and security of sensitive data, and commitment to customer-client management, position it as an emerging industry leader in medical software design and implementation. MedAbiliti Software, Inc. has its HIPAA work reviewed by the law firm of Hollander and Company LLC.

HIPAA Services

The deadlines for compliance with HIPAA regulations are fast approaching. For many organizations, developing policies and procedures to conform to HIPAA standards is simply too costly and complex a project to undertake alone. MedAbiliti prides itself on the ability to leverage expertise in process engineering, systems analysis, and application development to assist clients in their efforts to meet the HIPAA challenge.

In an effort to identify areas of non-compliance, MedAbiliti will audit your existing business processes and IT infrastructure to identify transaction practices, privacy policies, and security measures that fall short of federal requirements. Based on our assessment, MedAbiliti experts will develop custom solutions to meet HIPAA standards while satisfying your specific business requirements. Finally, MedAbiliti representatives will help you over the HIPAA learning curve. Our HIPAA education specialists will train you and your staff on effective measures to implement the necessary policies, procedures, and system changes that are guaranteed to bring your organization to compliance.

Meeting HIPAA standards is not just a goal to be reached, but a way to operate your business in a new and efficient way. MedAbiliti can provide the software, the system audit, and the training needed to guarantee that your organization is meeting HIPAA requirements cutting unnecessary administrative costs. Please contact us at hipaa@medabiliti.com for more information.

HIPAA Overview

The Health Insurance Portability and Accountability Act (1996) , is a sprawling set of federal government regulations and standards designed to control rising health care costs, while ensuring the administration of quality health care. The vast majority of HIPAA standards are related to business process and policy reform within the U.S. health care system. However, the Administrative Simplification provisions within HIPAA intend to standardize information system and application architecture. Administrative Simplification calls for standardization of transactions between providers and payers. At the same time, it requires that the adopted industry methods of data transfer ensure the privacy and security of patient information. HIPAA regulations will be enforced by the U.S. Department of Health and Human Services (DHHS). The Administrative Simplification provisions are comprised of three standard rules: Transactions and Code Sets Rule, Privacy Rule, and Security and Electronic Signature Standards Rule. These rules are individually summarized below.

Transactions and Code Sets Rule

The transactions to which the HIPAA standard refers are largely between health care providers and payers. DHHS mandates the standards of transaction codes and identifiers designed to speed up the interchange of information between entities. This is also designed to save costs in the long run, although some organizations may see costs rise in the short term as operations are brought into compliance and new systems replace old. The Electronic Data Interchange (EDI) standards developed by X12 (organization that specializes in standards development) were chosen for most HIPAA transactions.

Privacy Rule

The HIPAA Privacy Rule creates a national baseline for the privacy of health care information. It describes the federal government's first step towards ensuring the rights of health care patients. Patients are assured rights under this rule to access their own health records, amend those records, and view an accounting of health information disclosures made.

Among other things, the Privacy Rule describes how patient information must be handled within the health care system. The patient is afforded greater control over personal records. Health care organizations must clearly document and explain to patients which roles are authorized to handle specific health information in specific ways. This rule is applicable to all health care providers and health plans that engage in electronic transactions. An entity that is covered under the Privacy Rule must handle all information, paper-based as well as electronic, in accordance with the rule. Authorization is required from the patient in most cases before individually identifiable health information is used or disclosed for non-routine purposes.

As a way to ensure that privacy controls are established, health care entities are mandated to follow a number of verifiable steps, such as designating a privacy officer and training their staff on privacy policies to comply with this rule.

Security and Electronic Signature Standards Rule

The Security Notice of Proposal Rule Making (NPRM) was published in August 1998. The final HIPAA Security Rule, "Health Insurance Reform: Security Standards," was published on February 13, 2003, adopting final standards for the security of electronic protected health information by health plans, health care clearinghouses, and certain health care providers. These rules detail the system and administrative requirements that a covered entity must meet in order to assure that health information is protected from unauthorized users. The Security and Electronic Signature Standards Rule (hereafter referred to simply as the Security Rule) applies to each entity engaged in electronic maintenance or transmission of health information. Even a one-physician office that eschews electronic transactions and thus avoids the Transaction and Code Sets Rule of HIPAA must conform to the Security Rule when dealing with any individually identifiable health information. Within an organization, a security officer must be designated, and security policies must be implemented and documented. This rule applies both to how people work together with medical data and how machines manipulate data.

Compliance Cycle

Satisfying HIPAA requirements is not just a goal to be reached, but a way to operate a business more efficiently over time. To become compliant with HIPAA, an audit of existing business processes, procedures, policies, and systems must be performed. Based on this assessment, revised policies and system enhancement recommendations will be made. Solutions must be implemented. Health care organizations must then be educated on implemented solutions. Lastly, a final audit of the organization must be performed to ensure proper compliance has taken place.

Deadlines

There are separate deadlines for HIPAA Administrative Simplification rules:

Transactions were to be compliant by October 2002 (or October 2003 for small health plans). DHHS has created a simple 2-page form for requesting a one-year extension of this deadline.
Privacy rules are to be implemented by April 14, 2003 (or April 14, 2004 for small health plans).
Security rules are to be implemented by April 21, 2005 (or April 21, 2006 for small health plans).

How to Meet the Challenge?

You are not alone in your struggle to comply with HIPAA regulations. To illustrate the ways in which MedAbiliti has assisted other clients, we have included a description of a recent consulting project where MedAbiliti was hired for HIPAA compliance auditing and training. What we did for this client, we can do for you.

Case Background

MedAbiliti was approached by a leading occupational health care provider to custom build an application that would increase the company's data sharing capability and help them to meet HIPAA technology standards. As an occupational health care provider, this company committed itself to offering superior health and medical assessment products and services, including data management, substance abuse, on-site medical evaluation, wellness, medical staffing, and related health management services.

Client Assessment

In order to provide this client with a solution that fit its specific business needs, MedAbiliti initiated a project to audit the client's business processes, design a custom solution, provide legal review of the solution, and train the client employees on new efficiencies.

We first conducted a thorough audit of the client's business processes and procedures in order to identify areas of operation inefficiencies and non-compliance with HIPAA standards. After an initial assessment of the company's legacy system framework, MedAbiliti analysts learned that the provider had to access and manage numerous data filing systems independently in order to provide adequate customer service. Many of the existing applications used to perform daily tasks were based on older technologies and outdated business models, which required excessive resources to maintain and update. These complications created various performance and data integrity issues and limited the company's testing and reporting capability. To compound the issue, the company's complex data filing system and associated processes did not fully comply with HIPAA privacy or security standards.

Solution Implementation

Successful implementation of standards set by HIPAA will require that planners consider the impact of change (positive and negative) on various areas of the business: Business Culture, Business Processes & Policies, Physical Facilities, and Technical Environment. This effort requires a thorough audit of the business and technical environment to identify areas of inefficiencies and non-compliance with HIPAA standards. Upon completion of this effort, planners must then develop implementation procedures that bring the company to compliance with minimal disruption to business operations.

Based on our assessment of this clients's business and technical environment, we were able to develop a customized solution that addressed specific deficiencies and areas of non-compliance within the business culture, daily processes, physical layout of facilities, and technical infrastructure.

Business Culture

Meeting the HIPAA standards, in many cases, will require a cultural shift (not simply a technical shift) within an organization. Transforming the culture of an organization is often the most difficult task of any project. This challenge is magnified in cases where an organization will be required to drastically change its processes, procedures, and responsibilities. In order to overcome this challenge, all employees of an organization must recognize the values of cultural change, and embrace their responsibilities as agents of positive change.

To assist our client to this end, MedAbiliti developed teaching materials and presentations to educate employees on the current business environment -- both technical and non-technical -- and how HIPAA requirements would effect the business operations. During implementation of MedAbiliti solutions, our education and IT specialists trained the client employees on the technical and non-technical improvements to the business environment. This effort mitigated the stresses that many clients experience as a result of misinformation regarding HIPAA legislation and fear of change. Moreover, MedAbiliti's sensitivity to the client's business culture set the stage for future changes to the business workflow that would be required to meet the HIPAA challenge.

Business Process

In many cases, an organization will be required to enhance or reengineer its business processes in order to comply with HIPAA standards. For many organizations, new policies and procedures will be needed to meet the HIPAA challenge.

In an effort to minimize unnecessary disruption of current business workflow, MedAbiliti analysts performed a thorough audit of this client's current business processes before making any recommendations. Based on this audit, our analysts were able to effectively identify physical and technical areas of non-compliance with HIPAA regulations. We documented the current business design and mapped it to MedAbiliti best practices and HIPAA regulations to develop essential process and policy solutions. Our attorneys were able to use this material to recommend policy changes such that our process, policy, and system recommendations complied with specific HIPAA requirements.

Physical Facilities

HIPAA also focuses on the vulnerability of physical facilities that house sensitive health information to intrusion. To mitigate the likelihood of a physical security breach that would compromise the safety and integrity of health data, MedAbiliti analyzed the client's facilities and associated business processes to uncover areas of security weakness. We discovered faults in the client facility's physical locking systems, security agent protection practices, and facility surveillance practices. A detailed analysis of these facilities uncovered areas of non-compliance with the Security Rule, which we were able to document and address.

Information Technology Infrastructure

HIPAA focuses on the vulnerability of the technical infrastructure of entities as well. During an audit, the components of this infrastructure -- hardware and software -- must be inventoried and analyzed for security weaknesses and process inefficiencies.

MedAbiliti software engineers and consultants analyzed the client's IT infrastructure and customized an integrated medical testing, review, and data sharing system that met and exceeded the customer's business requirements. This innovative technology moved the challenged company away from its tunneled data-centric view to a widened service and task-centric awareness of workflow.

MedAbiliti specialists did not stop there. In an effort to meet HIPAA technical requirements, we customized the system to provide a superior level of security. Our solution controlled access to information with a unique role-based user identification system. The design of this tailor-made system ensured that only authorized users are able to access, manipulate, and transfer data.

MedAbiliti proceeded to surpass the HIPAA security requirements by incorporating data encryption technology, which ensured that intercepted information would be unidentifiable by outside entities. The transfer of data from the central database to users was accomplished via Secure Socket Layer (SSL) certificates using 128 bit keys.

Even though, our developers designed a system to mitigate every possibility of a security breach, our job was not done. We were still concerned with policing breaches and misuse of information by those within the client organization. So MedAbiliti experts enhanced this client's infrastructure with a data logging feature, which could be utilized to identify areas of security system failure. This logging feature recorded system access, user activity within the system, system alerts, and system errors.

MedAbiliti built a system to fit the client's specific business and federal regulatory needs. Let us do the same for you.

Conclusion

The Health Insurance Portability and Accountability Act of 1996 enforces the design and documentation of productive business practices for all organizations that store, manipulate, and transmit health information. The various standards outlined in HIPAA focus specifically on the measures that must be taken to increase efficiencies while securing health information within the industry. Administrative inefficiencies must be identified and rectified in order to decrease costs within the industry. Effective security measures must be established to ensure the public and private confidence in the health care industries ability to provide a truly quality service. MedAbiliti's custom technologies have been developed and enhanced over the past few years to assist organizations in their efforts to reach and surpass these goals. We develop solutions for the business of medicine.

How can we help you today? Please contact us at hipaa@medabiliti.com for more information.